[Openstack-devel] Bug#708515: Bug#708515: keystone: CVE-2013-2014 DoS via large POST requests
Thomas Goirand
thomas at goirand.fr
Thu May 16 11:24:25 UTC 2013
On 05/16/2013 05:22 PM, Nico Golde wrote:
> Package: keystone
> Severity: grave
> Tags: security patch
>
> Hi,
> the following vulnerability was published for keystone.
>
> CVE-2013-2014[0]:
> | Concurrent requests with large POST body can crash the keystone process.
> | This can be used by Malicious and lead to DOS to Cloud Service Provider.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Upstream patch: https://review.openstack.org/#/c/22661/
>
> Seems to be fixed for experimental in 2013.1-1.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
> http://security-tracker.debian.org/tracker/CVE-2013-2014
Hi,
The status of the patch you are linking to is "Abandoned", so that
doesn't seem right, upstream must have another patch.
Thomas
More information about the Openstack-devel
mailing list